Security & Vulnerability Disclosure

In Scope

The following ELLYTIC properties are in scope for security reports:

• ellytic.com and all subdomains (*.ellytic.com)
• app.ellytic.com (Ops Workbench)
• API endpoints under ellytic.com/api/* and app.ellytic.com/api/*
• Authentication flows, including OAuth, magic-link, and TOTP MFA
• Customer dashboards and order workflows
• Wizard checkout, payment, and document upload flows

Out of Scope

The following are explicitly out of scope and reports will not be eligible for acknowledgement:

• Denial-of-service (DoS / DDoS) attacks and volumetric tests
• Social engineering, phishing, or physical attacks against employees, contractors, or customers
• Findings from automated scanners without working proof-of-concept (e.g. missing security headers without exploitable impact)
• Best-practice or hardening suggestions without a concrete vulnerability (e.g. CSP tweaks, TLS cipher preferences)
• Reports against third-party services we do not operate (Stripe, IDnow, YouSign, Sanity, Vercel, Neon, Resend) — report those to the vendor directly
• Issues requiring physical access to a victim's unlocked device
• Self-XSS or vulnerabilities that require victim configuration changes to be exploitable
• Outdated software disclosure (CVE in dependency) without a demonstrated exploit path in our environment

How to Report

Send a detailed report to security@ellytic.com. Include enough information for us to reproduce and triage the issue quickly. PGP encryption is supported on request.

Please do not publicly disclose the issue until we have confirmed remediation. We commit to a public acknowledgement (with your consent) once a fix is shipped.

• Affected URL, endpoint, or component
• Step-by-step reproduction (commands, payloads, expected vs. actual)
• Impact assessment — what data or functionality is at risk?
• Your contact details and how you would like to be acknowledged (real name, handle, or anonymous)
• Any supporting screenshots, video, or HTTP request logs (please redact any third-party data)

Safe Harbor

We will not pursue civil action or law-enforcement involvement for good-faith research that complies with this policy. "Good-faith" means:

• You make a genuine effort to avoid privacy violations, destruction of data, and disruption of service
• You stop testing as soon as you have established that a vulnerability exists, and report it
• You do not access, modify, or download data beyond the minimum required to demonstrate the issue
• You only target your own test accounts — never another customer's data
• You do not exploit the issue for profit or share it with third parties before disclosure
• You give us a reasonable window (see response times below) to remediate before any public disclosure

Our Response Times

We aim to respond to security reports within these targets. Critical issues take precedence over scheduled work.

• Initial acknowledgement: within 2 business days
• Triage and severity assessment: within 5 business days
• Status updates while remediation is in progress: at least every 14 days
• Resolution target (critical / high severity): 30 days from confirmation
• Resolution target (medium / low severity): 90 days from confirmation
• Public disclosure: coordinated with the reporter, typically after a fix is deployed

Rewards

ELLYTIC does not currently operate a paid bug-bounty programme. We will publicly acknowledge valid reports (with your consent) on this page and on our hall of fame. As we grow, we plan to introduce monetary rewards for high-impact findings — reporters of qualifying reports will be invited first.

Acknowledgements

We thank all researchers who have responsibly reported issues to us. Reporters are listed here with their consent. (No public reports to date — be the first.)

Contact

All security correspondence should go to security@ellytic.com.

• Email: security@ellytic.com
• Machine-readable: /.well-known/security.txt (RFC 9116)
• Preferred languages: English, German
• Postal: ELLYTIC Technologies UG (haftungsbeschränkt), see Imprint for the full address